Nearly every iPhone and iPad user has an iCloud account where they may store photos, backups and other sensitive data. Establishing or linking to an iCloud account is part of the setup process when turning on a new phone or iPad. Apple even provides 5GB of iCloud storage free to every account.
With all those personal photos, emails and more hanging out in iCloud, security should be at the top of your mind. So if your iCloud password is strong, your account is safe, right? Think again.
A security researcher has discovered a flaw in the iOS Mail app that allowed him to embed malicious code in emails designed to steal your iCloud password. The flaw causes a fake iCloud login box to pop up when you open up the malicious email. If you enter your password into the fake screen, the email sender now has access to your account.
It's very easy to fall for this clever phishing attack, because the fake iCloud login box looks identical to the legitimate box that pops up any time you need to verify your iCloud account for App Store purchases and other actions on your gadget.
In response to this new discovery, Apple says that it doesn't know of any users affected by hacks using this method. Apple also says it is working on a software patch to deal with the issue. Until then, you should take the proper precautions to protect your account.
If an iCloud login box shows up while you're in the Mail app, click cancel. You can click the home button on your gadget to find out if the box is fake or not. The fake box is tied to the malicious email. So, if you click the home button, your phone will exit the Mail app and you will no longer see the fake box.
Legitimate iCloud login requests will not exit out if you hit the home button. You have enter your information and click "OK" or click "Cancel" to exit out of these legitimate login attempts.
You should also activate two-factor authentication on your iCloud account. With this feature enabled, Apple will send a PIN for one-time use to your registered gadget when anyone tries to log in. That way, hackers won't be able to log in to your account even if they steal your password. For more information about how to set up and use two-factor authentication, see my Tip on the subject here.